Password size does matter

This week’s scheduled column on security maturity has been rescheduled for next week.

It's because I can’t take the misinformation anymore.

I was recently contacted by the company that manages my stock to open up a new Web site log-on account. During new account creation, it asked me to input a secure password. So, I put in my normal password that is 21 characters long followed by 10 characters that are unique per Web site, but only uses lowercase letters. The length of the base password prevents basic password cracking and guessing, while the additional characters make the overall password (or pass phrase) unique so that no two resources ever have the same password.

At 31 characters long, my password is all but unhackable. Attackers will need to find another way to compromise my account rather than trying to guess it or crack it with brute force.

But of course, as usual, the finance company's Web site required that my password be complex, using three of four presented sets of characters, such as at least one uppercase character or one nonalphanumeric symbol. So although the password could be only six characters long, according to their policy, it also had to be complex.

The conventional thinking is that the additional complexity presents such an increased workload for the hacker that complexity is the holy grail of password hacking prevention. After all, conventional wisdom says that all the good Web sites require complexity. Heck, a Microsoft Windows log-on password requires complexity. Every new password policy I read requires complexity -- but gives scant consideration to the equal (or better) importance of longer password length.

They're all wrong! Character-for-character, password length is more important for security than complexity. Requiring complexity but allowing passwords to remain short makes passwords more vulnerable to attack than simply requiring easier-to-remember, longer passwords.

For everyone using six- to nine-character passwords with “complexity,” I appreciate it. I get paid to break in to systems for a living, and you make my job easier.

Strength is provided by increasing the number of possible passwords the attacker has to guess (let’s call this the keyspace even though it really isn’t appropriate in this context). The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X.

But conventional wisdom will have you believe that increasing complexity forces the password attacker to use significantly more possible characters in their attack. In the X^L formula example, forcing the use of capitalized letters requires the value of X to go from 26 for all possible lower case letters to 52 for both upper case and lower case letters. And if you include nonalphanumeric characters, X goes up to 94 to support all the normal single characters you can type on a 101 keyboard. Windows will allow you to use any Unicode character, which includes upwards of 65,000 different symbols.

Of course, most people only use the 94 standard keyboard keys. And if people actually evenly used the 94 characters of potential complexity, short passwords would be uncrackable, because 94^8 = 6,095,689,385,410,816 possible passwords -- which is uncrackable using anything known today or in the near future.